We will not validate IP addresses as part of assertion validation

fhanik · fhanik · commit 37987d68a0cd · 2019-10-28T19:40:57.000-07:00
Fixes spring-projectsgh-7514 spring-projects#7514
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java
@@ -45,6 +45,7 @@
 import org.opensaml.saml.saml2.core.NameID;
 import org.opensaml.saml.saml2.core.Response;
 import org.opensaml.saml.saml2.core.Subject;
+import org.opensaml.saml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml.saml2.encryption.Decrypter;
 import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
 import org.opensaml.security.credential.Credential;
@@ -327,6 +328,15 @@ private void validateAssertion(String recipient, Assertion a, Saml2Authenticatio
 		//ensure that OpenSAML doesn't attempt signature validation, already performed
 		a.setSignature(null);
 
+		//ensure that we don't validate IP addresses as part of our validation gh-7514
+		if (a.getSubject() != null) {
+			for (SubjectConfirmation sc : a.getSubject().getSubjectConfirmations()) {
+				if (sc.getSubjectConfirmationData() != null) {
+					sc.getSubjectConfirmationData().setAddress(null);
+				}
+			}
+		}
+
 		//remainder of assertion validation
 		ValidationContext vctx = new ValidationContext(validationParams);
 		try {
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProviderTests.java
@@ -215,6 +215,23 @@ public void authenticateWhenUsernameMissingThenThrowAuthenticationException() th
 		provider.authenticate(token);
 	}
 
+	@Test
+	public void authenticateWhenAssertionContainsValidationAddressThenItSucceeds() throws Exception {
+		Response response = response(recipientUri, idpEntityId);
+		Assertion assertion = defaultAssertion();
+		assertion.getSubject().getSubjectConfirmations().forEach(
+				sc -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")
+		);
+		signXmlObject(
+				assertion,
+				assertingPartyCredentials(),
+				recipientEntityId
+		);
+		response.getAssertions().add(assertion);
+		token = responseXml(response, idpEntityId);
+		provider.authenticate(token);
+	}
+
 	@Test
 	public void authenticateWhenEncryptedAssertionWithoutSignatureThenItFails() throws Exception {
 		Response response = response(recipientUri, idpEntityId);
